The rapid adoption of AI is transforming risk management by accelerating business changes and decision-making. Risk can no longer be managed from a back office; instead, risk professionals must engage directly with business operations, build relationships and align leadership on solving the most critical risks. At RSAC 2026, Optro (formerly Auditboard) Chief Information Security Officer Rich Marcus sat down with SmartBrief to discuss the impetus behind the company’s name change and why true risk understanding and effective change management require breaking down silos and fostering collaboration among teams.
Why the name change to Optro?
Marcus: Fundamentally, we believe very strongly that risk is a connected problem and requires connectedness in the solution. We got our start in audit, but that problem space is bigger than audit. And we wanted to create a brand and a set of solutions that really bring everyone to the table.
We’re not moving away from our roots in audit – they’re a very, very important part of that puzzle – but we want to reach out across aisles and bring in folks from cyber and risk and even neighboring teams like legal, finance, compliance and regulatory and the business as well. We want them to know that this is not just an audit providing a service to the business; this is the business working together. The new name and new brand are really about optimism and the future, and it’s a more inclusive way to have that sort of risk conversation and bring folks together on that problem.
Why do you think it’s so important to have a unified risk foundation across a company?
Marcus: There are two fundamental reasons. One is, to really understand the risk landscape, you have to be embedded in the business. If you’re working in a silo, back-office somewhere, things may seem calm, quiet and safe. You need to get out into the street, where your business counterparts are innovating, taking risks and taking chances to achieve their objectives – that’s the only way you can really understand the risk landscape. And so, that takes partnership, collaboration and visibility. You can’t do that in a silo. You have to get out, build relationships, connect with people, connect with data to really understand the risk picture and then align with your leadership on the biggest risks we actually want to solve for.
Then, if you take it a step further, the second reason is that if you’re going to effect change, the same thing is true. You can’t do that in a silo or in a back office. You have to be on the teams that can actually affect the changes. You have to bring data to tell a story and influence people to make the changes necessary to drive down risk — to unlock investment, to make business process changes or to make technology changes. You have to do that in a way that’s aligned and collaborative. If you want to make significant change, you can’t go write a report from the back office and then circulate it to everyone. It takes a much more hands-on, collaborative approach.
AI is changing how risk is assessed and managed. At the same time, there has been a shift toward cyber resilience. How can a company measure that?
Marcus: The adoption of AI across organizations is accelerating the rate of change. So decisions are being made faster, and changes to business processes and technical transformation are happening much faster. So, if you’re looking at a legacy approach to audit or risk management or compliance — where you’re doing your point-in-time, once-a-year assessment — you’re going to be too late. The business will make 100 changes between your audit report dates. We’re seeing a shift in mindset and approach among GRC and risk practitioners who have to use technology, including AI, to meet the moment where those decisions are being made. So, whether that’s acquiring new risks, identifying new risks, delivering guidance and findings to teams and reporting, that really has to take on a much more continuous nature. And you can’t do all of that without technology and without AI. What we’re doing is reimagining legacy GRC practices and functions to make them more real-time and continuous. That enables us to keep pace with the way businesses are moving now.
All that connects to the concept of resilience: If the systems and processes that you’re building have some of that rapid assessment and feedback loops built into them, they are inherently more resilient. Just one example where we’re seeing this is in software development. Where, if you look at waterfall-based project management for software development, you’d have a 9-month project. For example, the team would write up requirements, it would get reviewed by security, they’d do a design review, a threat model, teams would then start taking that feedback and writing code, and then you have testing at the end. We’re seeing that collapse into weeks, days and hours now. And the feedback we’re providing to those teams must be real-time, high-quality and applicable to their work. So, if a developer is writing up a new design, bringing in a GRC agent or an AI security agent to evaluate that design and give really rapid feedback on the types of threats that your design includes and the security policies that apply—and having that be continuous and sort of instantaneous—is the only way that security and GRC is going to keep up with the new rate of pace, you know, post-AI revolution.
We’re going through and thinking of all of these ways that we used to do things, and trying to imagine how they’re going to look post-AI revolution. In this process, we’re finding that the end result of the systems and processes we’re building is inherently more resilient than before. That’s due to all of the GRC guidance, all of the GRC context and security context that is built in at a much earlier stage in the process. It’s not this review-and-iterate function; it’s actually kind of built into the building process.
What are the biggest AI risks CISOs are still underestimating in 2026? And, on the flip side, like, what do you think is the biggest opportunity?
Marcus: For AI risks, I’ll give you the sort of textbook answer, and then sort of what I really think it is. Most CISOs are looking at AI transformation, adoption of AI in their organizations, and they’re really thinking about four or five obvious risks. Number one is overconfidence in the technology, right? Is somebody going to implement AI in a way that causes us to make poor decisions, or leverage the output of AI in a way that assumes it’s better than it actually is? Sensitive data disclosure or leakage would be the second one. So, are we going to take our crown jewel secrets and expose them to the AI, and it’s going to make them public, or useful to our third-party partners in a way that harms us? Misconfiguration. As we know, with any new technology transformation, the way you set it up and integrate it is rife with vulnerabilities. You could make a mistake in access control, you could make a mistake in network security, in exposed systems or in exposed data. And the last one is abuse of the technology, right? Attackers are figuring out ways to abuse it — just like every technology that’s come before it. You have the intended use case, and then you have ways people figure out to abuse the technology. So, when CISOs are thinking about AI risk, it’s usually one or more of those risks or categories, and then your mind can really turn on all of those and find different combinations or permutations of those risks.
Personally, the risk I’m most concerned about is the AI arms race and the idea that attackers are leveraging AI to get better at what they do. Anthropic discovered attackers using its technology to conduct these large-scale, sophisticated cyberattacks. And they’re doing it presumably for very low cost, and with people with, you know, maybe somewhat lower skill level. You just look at what the technology is doing for the attacker community, and there’s a danger that they’ll leapfrog ahead of defenders if we can’t keep up.
The thing that really keeps me up at night is: Are my teams digging in their heels and resisting this change or are they embracing the new technology, increasing their fluency and thinking creatively about how to evolve what we do so we don’t get left behind? We have to keep up with the attackers in terms of how efficient we can be from a cyber and GRC perspective, or we’re going to lose. That’s really the thing that I think is the biggest risk, above all else.
It’s early in 2026, but CISOs have to already be thinking about 2027. What is the next major shift CISOs should be preparing for as they look at the rest of this year and into the next?
Marcus: I think the primary responsibility of the CISO through this transformation is to be a change agent to help their organizations manage the change. There’s a lot of fear and anxiety about AI and the rate at which it’s going to disrupt and change the way that individuals provide value to their organizations. Teams are going to look and feel very differently and CISOs have to be empathetic for their teams and help them navigate through that process. They have to lead with relentless optimism and a growth mindset, encourage their teams to learn as much as they can about the technology and then be really creative and thoughtful about how the job can and should change by making good use of the technology.
There are some fundamental values that security and GRC bring to organizations that we have a responsibility to ensure survive the revolution; they need to persist through the change. And so things like data governance, access control, logging and monitoring, third-party risk and the isolation of core systems — all of these concepts don’t go away just because we implement AI. They’re just going to be implemented differently. We have to be creative and thoughtful about how we reimagine bringing those values to the organizations and carrying that as a through line through the revolution. Your teams will be responsible for figuring out how we do that. Therefore, we need to be addressing the fear and the anxiety around the change, encouraging your teams to be change resilient, and then being flexible and creative about how we adapt to the new processes and new technologies. I think that’s really the primary role of the CISO, and really try to resist the temptation to be the Department of No. CISOs need to be a partner and advocate for their organizations that are experiencing tremendous benefit and opportunity from some of these new technologies, helping them implement them in a way that is still governable, secure and a way where they can visualize and manage the risk throughout the transformation.
What is one key piece of advice you would offer your fellow CISOs?
Marcus: Rather than trying to hire or identify who’s going to be our AI czar in an organization, I think the much more successful approach is going to be the collaborative one [that involves] bringing together all the stakeholders that have a viewpoint and a responsibility for risk management across the organization. Then, you focus on some of the new AI risks and some of the new systems and processes that are being implemented. Most importantly, resist the temptation to completely reinvent the wheel. A lot of it is just bringing some old-school governance concepts into the new technology space.
Meet Rich:
Rich is the Chief Information Security Officer at Optro, where he leads product, infrastructure and corporate IT security functions as well as Optro’s own internal risk and compliance initiatives. In this capacity, he has become an Optro product power user, leveraging the platform’s robust feature set to help achieve SOC 2, GDPR, ISO 27001 certification, and many other GRC initiatives. In his spare time, he enjoys exchanging insights with his information security leader peers in the Optro Community and participating in the Optro product development process. Prior to joining Optro, Rich led global GRC at Verizon Media and Security Operations at EdgeCast Networks.